/
Snowflake security policies for Disabled MFA, New Privileged Access, and Terminated Employees

Snowflake security policies for Disabled MFA, New Privileged Access, and Terminated Employees

This article will walk you through defining policies for common conditions that will leave your Snowflake environment open to potential exploits from threat actors.

image-20240605-214118.png
Dashboard of Snowflake showing findings of Disabled MFA accounts

Disabled MFA for Active Service Accounts

This policy will allow you to identify cases that may expose you to someone logging in to a service account.

In order to configure this perform the following:

  1. Navigate to Security > Policies

  2. Select the category MFA, and next select Create Policy

  3. Name the policy as “Disabled MFA for Active Service Accounts” or a preferred alternative and adjust the Severity, Description and Tags to your liking

  4. Configure Rule as the following:

    1. Applications

      1. Display Name is Snowflake

    2. Accounts

      1. Account Type in Service

      2. Account Status in Active

      3. MFA Status not in Enabled

image-20240605-211243.png

  1. Once above is configured click next and continue to saving and enable the policy

  2. Optionally, add additional custom actions to enable additional automation to occur when the policy is triggered.

New Privileged Access

This policy will allow you to identify cases where new privileged access was created to Snowflake.

In order to configure this perform the following:

  1. Navigate to Security > Policies

  2. Select the category New Access, and next select Create Policy

  3. Name the policy as “New Privileged Access” or a preferred alternative and adjust the Severity, Description and Tags to your liking

  4. Configure Rule as the following:

    1. Applications

      1. Display Name is Snowflake

    2. Accounts

      1. Privileged is Yes

image-20240605-212110.png

  1. Once above is configured click next and continue to saving and enable the policy

  2. Optionally, add additional custom actions to enable additional automation to occur when the policy is triggered.

Terminated Employees

This policy will allow you to quickly action Snowflake accounts that are active, however the user account has been terminated.

In order to configure this perform the following:

  1. Navigate to Security > Policies

  2. Select the category Terminations, and next select Create Policy

  3. Name the policy as “Terminated Employees with Access to Snowflake” or a preferred alternative and adjust the Severity, Description and Tags to your liking

  4. Configure Rule as the following:

    1. Applications

      1. Display Name is Snowflake

    2. Accounts

    3. Account Status in Active

      image-20240605-212817.png

  5. Once above is configured click next and continue to saving and enable the policy

  6. Optionally, add additional custom actions to enable additional automation to occur when the policy is triggered.

Creating Saved Searches

You can also Search and save the search for accounts that meet the conditions of a risk.

To search perform the following:

  1. Navigate to Applications > Snowflake

  2. Select the tab for Accounts and click Show for Filters

  3. Adjust the filters as required for each of the following desired conditions

Service Accounts with MFA Disabled

  • Account Status: Active

  • Application: Snowflake

  • Account Type: Service

  • MFA Status: Disabled

image-20240606-114424.png

Active Accounts for Terminated Employees

  • Account Status: Active

  • Application: Snowflake

  • User Status: Inactive,Deleted

 

image-20240606-114200.png

New Privileged Accounts

  • Account Status: Active

  • Application: Snowflake

  • Privileged: Yes

  • Discovery Date: Last 7 Days

 

image-20240606-114327.png